A last note on this thread. University of Texas does a free pen test for
non profits once or twice a year. Almost no one turns down free work. You
should have a contract, which includes scope, and limits your liabilities
for any outages or missed security vulnerabilities. No pen test can say
100% that a site is secure so a statement reflecting that or that the
test portrays a "snapshot in time" or something similar should be
included. A lawyer is always a good idea for any type of business, and if
you cant find one pro bono, PrePaid Legal is a cheap resource.
Scope and statement of work should be in the contract. This is gathered by
meeting with the organization and discussion what exactly will be
performed during the assessment. Statement of work and scope need to be in
writing. Should also include times/dates (get out of jail free card)
Client and Consultant contact information:
The contract should include contact information for a technical and a
management point of contact. Consultants information should also be
included, including IP addresses if remote. If after hours, an
after hours number should be included.
Post testing:
After the test you present the client a report. If they can fix things
with their staff, they usually will, if you want to fix them for free, I'm
sure they will take you up on the free work. Including a "step by step"
guide to how to fix security problems in the report is usually greatly
appreciated.
As far as boiler plates, a good ole google search should help.
Hope that helps,
Travis Good, CISSP, IAM
On Wed, 15 Dec 2004, Matt Bellizzi wrote:
Thanks for responding everyone. Well it looks like there are two camps
here. The first group mostly objects to the liability to me. The second
thinks it's a good idea. It looks like I should seek some legal advice.
Luckily my company offers that as a benefit. Or I'm sure I could probably
find a lawyer to do it pro-bono. Looks like I'll need a NDA for me, a
letter of intent and a agree to hold harmless for my client. If someone out
there has some boiler plate examples of these I would love to see em. A
couple of other issues were also brought to my attention. Like What is the
scope of the pen test? Also what happens after the pen-test? And finally
who to call if I DOS something. Off the top of my head. The scope of the
pen-test is Dependant on the client's network. The actions after the pentest
depends on if they staff or not. As for crashing machines....I'm thinking
that before even attempting to test I would have to meet with the whomever
they have on staff and co-ordinate off times for testing and contact numbers.
I would also not run actually dos exploits. This might not be considered a
pen-test but, I still think it might be useful and/or fun.
